github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 04:48:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: metrics should be protected behind authZ (#1895)

Browse Source 
Signed-off-by: Alexei Dodon <adodon@cisco.com>
This commit is contained in:
Alexei Dodon
2023-10-20 10:33:26 +03:00
committed by GitHub
parent a44ca578a1
commit a345ba0823
13 changed files with 508 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
test/blackbox/helpers_metrics.bash
+3
View File
@@ -1,3 +1,6 @@
METRICS_USER=observability
METRICS_PASS=MySecreTPa55
function metrics_route_check () {
local servername="http://127.0.0.1:${1}/metrics"
status_code=$(curl --write-out '%{http_code}' ${2} --silent --output /dev/null ${servername})
test/blackbox/metrics.bats
+22 -2
View File
@@ -32,6 +32,7 @@ function setup_file() {
zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
htpasswd -Bbn ${METRICS_USER} ${METRICS_PASS} >> ${zot_htpasswd_file}
mkdir -p ${zot_root_dir}
touch ${zot_log_file}
@@ -48,6 +49,19 @@ function setup_file() {
"htpasswd": {
"path": "${zot_htpasswd_file}"
}
},
"accessControl": {
"metrics":{
"users": ["${METRICS_USER}"]
},
"repositories": {
"**": {
"anonymousPolicy": [
"read"
],
"defaultPolicy": ["read","create"]
}
}
}
},
"log": {
@@ -80,14 +94,20 @@ function teardown_file() {
}
@test "unauthorized request to metrics" {
# anonymous policy: metrics endpoint should not be available
# 401 - http.StatusUnauthorized
run metrics_route_check 8080 "" 401
[ "$status" -eq 0 ]
# user is not in htpasswd
run metrics_route_check 8080 "-u unlucky:wrongpass" 401
[ "$status" -eq 0 ]
# proper user/pass tuple from htpasswd, but user not allowed to access metrics
# 403 - http.StatusForbidden
run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 403
[ "$status" -eq 0 ]
}
@test "authorized request: metrics enabled" {
run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 200
run metrics_route_check 8080 "-u ${METRICS_USER}:${METRICS_PASS}" 200
[ "$status" -eq 0 ]
}
test/blackbox/metrics_minimal.bats
+24 -2
View File
@@ -32,6 +32,7 @@ function setup_file() {
zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
htpasswd -Bbn ${METRICS_USER} ${METRICS_PASS} >> ${zot_htpasswd_file}
mkdir -p ${zot_root_dir}
touch ${zot_log_file}
@@ -48,6 +49,20 @@ function setup_file() {
"htpasswd": {
"path": "${zot_htpasswd_file}"
}
},
"accessControl": {
"metrics":{
"users": ["${METRICS_USER}"]
},
"repositories": {
"**": {
"anonymousPolicy": [
"read",
"create"
],
"defaultPolicy": ["read"]
}
}
}
},
"log": {
@@ -72,13 +87,20 @@ function teardown_file() {
}
@test "unauthorized request to metrics" {
# anonymous policy: metrics endpoint should not be available
# 401 - http.StatusUnauthorized
run metrics_route_check 8080 "" 401
[ "$status" -eq 0 ]
# user is not in htpasswd
run metrics_route_check 8080 "-u test:wrongpass" 401
[ "$status" -eq 0 ]
# proper user/pass tuple from htpasswd, but user not allowed to access metrics
# 403 - http.StatusForbidden
run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 403
[ "$status" -eq 0 ]
}
@test "authorized request: metrics enabled" {
run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 200
run metrics_route_check 8080 "-u ${METRICS_USER}:${METRICS_PASS}" 200
[ "$status" -eq 0 ]
}
}